Oklahoma Hacked: The Security Flaws That Put Your Information at Risk

Hackers are always working to get your money or your personal information.  You have undoubtedly seen the emails or received the phone calls that want you to give up details about your life or bank account.  Those hacking attacks don t stop even when you are at work; even if you work for the state.

I can't tell you how many times I ve seen that fishing scam where you get the notification your email inbox is full, said Alex Pettit, Oklahoma s Chief Information Officer. 

Pettit is in charge of the state s information technology, or IT, network.  Legislation a few years ago put his office in charge of consolidating the state s computer system and all the various IT departments. 

At first the consolidation began an agency at a time, but Pettit soon made an alarming discovery.  We'd found that many of the groups had not had very good security practices in place.  

Those security holes included missing anti-virus and anti-spam software to faulty firewalls.  In some cases agencies tried to cut corners on their budgets by not updating or not paying for virus protection.  In some cases we had agencies that were running freeware software for their virus protection, Pettit told Fox 25.  Or they had purchased virus protection software, but they had let the licensing lapse.

Those security mistakes were prominent within the Oklahoma Department of Tourism.  It was during consolidation that Pettit s team discovered hackers had managed to infiltrate computers used as cash registers at one tourism location.  Hackers installed malware designed to find and send out banking information.  Emails received by Fox 25 reveal there were multiple computers infected by malware at various Tourism locations.  However it appears only one computer had all the software needed to complete the invasive program.

Pettit says ultimately they only believe two people s personal information was compromised.  Though when asked if they are certain the breech only affected two individuals Pettit said, The direct answer to the question is we don't know what we don't know.

If you can't trust the folks you do business with then you're not going to do business with them.   Pettis says they cleared up the tourism security holes and moved immediately to make security solutions a priority for every agency regardless of if they had gone through the IT consolidation. 

However the problems do not end there.  It turns out the Tax Commission is also putting your personal information at risk because of its encryption procedures.  Potentially we have a vulnerability, Pettit said.

Right now when your tax records are sitting on the state server, or at rest, they are not encrypted.  While there are other security procedures in place to help block hackers, Pettit says encryption is a helpful final block against hackers.  We have different security protocols and what kind of remote access we allow, Pettit said. 

However the at rest data encryption is the same security flaw that hackers exploited in South Carolina.  The world learned of that hack in October of 2012.  Oklahoma was aware that just like South Carolina, all it takes is a careless employee to fall for a phishing scam and give out access codes to put records at risk. 

The hackers in South Carolina compromised nearly 4 million tax records, so you would think Oklahoma would be eager to prevent a similar attack.  Pettit wanted to move the tax records to a more secure server.  When that is accomplished all that data when it is at rest will be encrypted.

However the Tax Commission requested a delay in making their servers secure.  Pettit said the commission wanted the delay to get them through the busy tax season; a time when all Oklahomans are required by law to get their information in on time. 

The tax commission refused multiple requests for an interview on this subject saying they would not discuss security procedures.  However no one from the agency would answer questions about why they did not immediately move to ensure Oklahomans tax records were safe when hackers proved the same vulnerability could be exploited. 

Instead the agency released a statement that said they comply with the Internal Revenue Service s guidelines for security.  In addition the statement from communications director Paula Ross said, The agency also utilizes COBIT, the security standards used by the State of Oklahoma s State Auditor and Inspector as another primary source of security control guidance. Furthermore, for a number of years the OTC has hired a nationally-known security firm to conduct Network Penetration Audit and Vulnerability Assessments in addition to Internet and Dial-up Vulnerability Assessments.

Pettit says because state employees still have to do their jobs and work with sensitive data we will never be able to make our network hack proof.   However he says implementing standards for security will help make sure it is less likely information will be compromised. 

Still the biggest threat to the state s network is still out there.  The greatest vulnerability we have is from our own people.   Pettit said that is why education and practicing good security procedures is necessary to make sure mistakes do not happen.  Oklahoma Hacked: The Security Flaws That Put Your Information at Risk

Posted: Thursday, February 7 2013, 09:57 PM CST